219 matches found
GHSA-7723-35V7-QCXW Server-Side Request Forgery (SSRF) in activitypub_federation
Summary This vulnerability allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request. Details The Webfinger endpoint takes a remote domain for checking accounts as a...
CVE-2024-12840
...
python-werkzeug: user may execute code on a developer's machine
A flaw was found in Werkzeug, where an attacker may be able to execute code on a developer's machine under some circumstances. This issue requires the attacker to get the developer to interact with a domain and subdomain they control and enter the debugger PIN; if they are successful, it allows...
python-werkzeug: user may execute code on a developer's machine
A flaw was found in Werkzeug, where an attacker may be able to execute code on a developer's machine under some circumstances. This issue requires the attacker to get the developer to interact with a domain and subdomain they control and enter the debugger PIN; if they are successful, it allows...
CVE-2024-46990
Summary: CVE-2024-46990 affects Directus where blocking localhost via the default 0.0.0.0 filter can be bypassed using other loopback addresses (e.g., 127.0.0.2–127.127.127.127). Vulnerability details (supported by connected docs): Directus real-time API and app dashboard fails to restrict access...
python-werkzeug: user may execute code on a developer's machine
A flaw was found in Werkzeug, where an attacker may be able to execute code on a developer's machine under some circumstances. This issue requires the attacker to get the developer to interact with a domain and subdomain they control and enter the debugger PIN; if they are successful, it allows...
python-werkzeug: user may execute code on a developer's machine
A flaw was found in Werkzeug, where an attacker may be able to execute code on a developer's machine under some circumstances. This issue requires the attacker to get the developer to interact with a domain and subdomain they control and enter the debugger PIN; if they are successful, it allows...
CVE-2024-5736
Server Side Request Forgery SSRF vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0...
CVE-2024-5736 SSRF in AdmirorFrames Joomla! Extension
Server Side Request Forgery SSRF vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0...
PT-2024-37112 · Joomla · Admirorframes
Name of the Vulnerable Software and Affected Versions: AdmirorFrames versions prior to 5.0 Description: The issue is related to a Server Side Request Forgery SSRF vulnerability in the AdmirorFrames Joomla! extension, specifically in the afGdStream.php script. This vulnerability allows access to...
CVE-2024-5482
A Server-Side Request Forgery SSRF vulnerability exists in the 'addwebpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to input arbitrary URLs,...
CVE-2024-4084
A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...
Important: unbound
Issue Overview: A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw...
CVE-2024-29180 webpack-dev-middleware Path Traversal vulnerability
Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can either work with the...
SUSE CVE-2024-1488
A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an...
VulnCheck KEV: CVE-2019-9733
An issue was discovered in JFrog Artifactory 6.7.3. By default, the access-admin account is used to reset the password of the admin account in case an administrator gets locked out from the Artifactory console. This is only allowable from a connection directly from localhost, but providing a...
PT-2023-28994 · Arduino · Arduino Create Agent
Name of the Vulnerable Software and Affected Versions: Arduino Create Agent versions prior to 1.3.3 Description: This issue affects the endpoint /v2/pkgs/tools/installed and the way it handles plugin names supplied as user input. A user who has the ability to perform HTTP requests to the localhos...
PT-2023-28993 · Arduino · Arduino Create Agent
Name of the Vulnerable Software and Affected Versions: Arduino Create Agent versions prior to 1.3.3 Description: The issue affects the endpoint "/v2/pkgs/tools/installed". A user who can perform HTTP requests to the localhost interface, or bypass the CORS configuration, can escalate privileges to...
GHSA-3Q5P-3558-364F Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`
Impact This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the ctx.IsFromLocal method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. In it's...
Fiber Security Breach
Fiber is an open source web framework written in the Go language. A security vulnerability exists in Fiber versions prior to 2.49.1 that stems from not properly restricting access to localhost, which could allow an unauthorized attacker to access resources supplied to the localhost only...